JP2020102741A - Authentication system, authentication method, and authentication program - Google Patents

Abstract

To provide an authentication system, an authentication method, and an authentication program which are very convenient to users and have improved security.SOLUTION: In an authentication system 500, a resource server includes: a first storage part for storing user information of a user terminal and service information of a service server; an encryption part for encrypting the user information in response to an access request from the user terminal to the service server; and a transmission part for transmitting the encryption user information encrypted by the encryption part to the user terminal. An authentication server includes: a second storage part for storing service information; a reception part for receiving the service information together with the encryption user information from the service server which has received the encryption user information from the user terminal; a decryption key generation part for generating an authentication side decryption key for decrypting the encryption user information when it is determined that the service server is true on the basis of the service information stored in the second storage part and corresponding to the received service information; and a transmission part for transmitting the authentication side decryption key to the service server.SELECTED DRAWING: Figure 1

Description

The present invention relates to an authentication system, an authentication method, and an authentication program, and more particularly, to an authentication system and the like for authenticating a user who uses a service provided by a client who is a service providing side by a more secure and simple method. ..

In recent years, various services such as a payment service and a reservation service are provided online via a communication network. In such an online service system, user authentication processing is performed so that services are provided only to registered users.

Here, the user who uses the service needs to create an account for each service and manage the user information such as the user ID and the password, which is troublesome. In order to eliminate this user's trouble, a so-called single sign-on technique is known (for example, Patent Document 1). In the system described in Patent Document 1, in a system that uses a plurality of websites that require user authentication from a user terminal, a proxy that acts on behalf of the user authentication on the website is placed between the web server and the user terminal. It is said that by proxying this proxy for user authentication on the website, the number of user authentication operations that the user has to perform on the user terminal when using the website is significantly reduced.

JP, 2002-032340, A

However, in the technique described in Patent Document 1, since the authentication information of all users is stored in the user authentication proxy device, there is a problem of trust in the user authentication proxy device. Moreover, when the user authentication proxy device is illegally accessed, the authentication information of all users may be leaked.

Therefore, the present invention provides an authentication system, an authentication method, and an authentication program that solve the above problems, are highly convenient for users, and have improved safety.

An authentication system for authenticating access to a service server by a user terminal according to an embodiment of the present invention includes an authentication server and a resource server, and the resource server includes user information about a user of the user terminal and a service server. First storage unit that stores at least service information related to the service, an encryption unit that encrypts user information related to the user of the user terminal in response to an access request to the service server sent from the user terminal, and an encryption unit. A second storage unit that stores service information related to services of the service server; and a transmission unit that transmits encrypted user information encrypted by the user terminal to the user terminal; From the service server received from the service server, the service information related to the service of the service server is received together with the encrypted user information, and the service information stored in the second storage unit corresponding to the service information received by the receiving unit. If the service server that transmitted the service information is determined to be true based on the above, the decryption key generation unit that generates the authentication side decryption key for decrypting the encrypted user information and the authentication side decryption key are transmitted to the service server. And a transmitting unit that does.

In the authentication system according to the embodiment of the present invention, the resource server generates a unique decryption key unique to the service server and transmits the unique decryption key to the service server, and the decryption key generation unit combines with the unique decryption key to perform decryption. The authentication side decryption key may be generated so that the encrypted user information is decrypted by.

In the authentication system according to the embodiment of the present invention, the transmission unit in the resource server transmits display information to the user terminal, the display information causing the user terminal to display an item selection screen for selecting an item to be transmitted as user information from a plurality of items. You may.

In the authentication system according to the embodiment of the present invention, the encryption unit in the resource server is configured to access the item selection screen in the user terminal in response to the access request to the service server transmitted from the user terminal. The user information may be encrypted.

In the authentication system according to the embodiment of the present invention, the service information stored in the first storage unit and the second storage unit includes the IP address of the service server, and the decryption key generation unit of the authentication server When the IP address included in the service information stored in the second storage unit corresponding to the service information received by the receiving unit matches the IP address of the transmission source of the service information received by the receiving unit, the service information is transmitted. The service server that has executed may be determined to be true.

In the authentication system according to the embodiment of the present invention, a predetermined reward may be associated with a user whose item transmitted as user information satisfies a predetermined condition.

An authentication system according to an embodiment of the present invention may include a plurality of service servers, and the first storage unit of the resource server may associate different user IDs as user information for each service used by the user.

According to an embodiment of the present invention, an authentication method of an authentication system including an authentication server and a resource server for authenticating access to a service server by a user terminal includes a resource server, a first storage unit, and a user terminal Storing at least user information about the user and service information about the service of the service server, and encrypting the user information about the user of the user terminal in response to an access request sent from the user terminal to the service server. And transmitting the encrypted user information encrypted by the encrypting step to the user terminal, and the authentication server storing the service information related to the service of the service server in the second storage unit. A second storage corresponding to the service information received in the receiving step, together with the encrypted user information, from the service server receiving the encrypted user information from the service server, the service information related to the service of the service server. If the service server that has transmitted the service information is determined to be true based on the service information stored in the copy section, the step of generating an authentication side decryption key for decrypting the encrypted user information, and the authentication side decryption key are And a step of transmitting to the service server.

An authentication program of an authentication system including an authentication server and a resource server for authenticating access to a service server by a user terminal according to an embodiment of the present invention includes a resource server, user information about a user of a user terminal, and A first storage function for storing at least service information regarding a service of the service server, and an encryption function for encrypting user information regarding a user of the user terminal in response to an access request to the service server transmitted from the user terminal, A second storage function that realizes a transmission function of transmitting encrypted user information encrypted by the encryption function to a user terminal, and stores a service information regarding a service of the service server in the authentication server, and an encrypted user. Stored by the second storage function, which corresponds to the service information received by the reception function and the reception function that receives the service information related to the service of the service server together with the encrypted user information from the service server that receives the information from the user terminal. If the service server that sent the service information is determined to be true based on the service information obtained, the decryption key generation function that generates the authentication side decryption key for decrypting the encrypted user information and the authentication side decryption key It realizes the transmission function of transmitting to the server.

According to the present invention, it is possible to provide an authentication system, an authentication method, and an authentication program that are highly convenient for users and have improved security.

It is a schematic diagram of an authentication system composition concerning one embodiment of the present invention. (A), (b) is a schematic diagram explaining the authentication system concerning one embodiment of the present invention. It is a hardware block diagram of the information processing apparatus (server, terminal) in the authentication system which concerns on one Embodiment of this invention. It is an example of a functional block diagram of an authentication server and a resource server according to an embodiment of the present invention. It is an example of a functional block diagram of a user terminal and a service server concerning one embodiment of the present invention. FIG. 7 is a sequence diagram of a pre-registration process among a user terminal, a service server, an authentication server, and a resource server in the authentication system according to the embodiment of the present invention. It is an example of information stored in a resource server. It is an example of information stored in the authentication server. It is an example of information stored in the service server. 6 is an example of a display screen of a user terminal in the authentication system according to the embodiment of the present invention. FIG. 8 is a sequence diagram of an authentication process among a user terminal, a service server, an authentication server, and a resource server in the authentication system according to the embodiment of the present invention. 6 is an example of a display screen of a user terminal in the authentication system according to the embodiment of the present invention. 6 is an example of a display screen of a user terminal in the authentication system according to the embodiment of the present invention. 6 is an example of a display screen of a user terminal in the authentication system according to the embodiment of the present invention.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

<Outline of authentication system>
First, the outline of the authentication system according to the embodiment of the present invention will be described with reference to FIG. FIG. 2A is a diagram illustrating a problem in the conventional online service, and FIG. 2B is an explanatory diagram of an authentication system according to an embodiment of the present invention.

In online services, account sharing, unauthorized access by fake users, registration of multiple accounts by one user, and registration of accounts by bots can occur. Further, since one user can have multiple accounts for one service, the service provider cannot confirm the authenticity of the information of the user who uses the provided service, and the service provided by the user cannot be confirmed. There is a problem that accurate information cannot be stored. Further, when using a plurality of services, the user needs to register an account for each service, which is troublesome and the user's credit cannot be stored online.

To solve these problems, as shown in FIG. 2B, in the authentication system according to the embodiment of the present invention, the user and the service provider respectively register in the authentication system, and the user information of the registered user (authentication system account) is registered. Is used for authentication processing (certification processing) on a plurality of service providers who are also registered users. As will be described later in detail, since authenticity of user information is guaranteed at the time of registration in the authentication system, the service providing side can obtain highly reliable information regarding the user who uses the service provided by the service providing side. .. Further, on the user side, user information registered in the authentication system is used as user information for registering in a plurality of services. Therefore, the user does not need to perform the troublesome registration process a plurality of times. Further, there is an advantage that the user can accumulate the usage history of a plurality of services as the credit of the user. The above is the outline of the present invention.

In the present specification, “user information” is user information associated with a user's account in a predetermined service. The user information is, for example, a user's name, a user's icon image, a user's age, a user's sex, a user's address, a user's hobby, a telephone number, which is input by the user or given by a predetermined service. User's contact information such as email address and e-mail address, user's identifier (user ID (IDentifier)), payment information associated with the user, user's nationality, user terminal ID, registration date to authentication service, registration to each service The date may be included, and any one or a combination of these may be used. The user information may be stored by associating the user ID with other user information other than the user ID.

Further, in the present specification, the “service information” may include information on the service providing side and identification information for identifying the service providing side in the authentication system. The information about the service provider includes, for example, the name of the service provider, the content of the service, the business scale of the service provider, the capital, the business form (type of company, limited company, etc.), the number of employees, the year of establishment, and the transaction The information may include information on banks and the like, the date of registration in the authentication system, etc., and any one or a combination thereof may be used. Further, the identification information may be a service identifier (ID) given to the service providing side in the authentication system 500, a unique secret key described later, a unique decryption key, or the like.

<System configuration>
A system configuration of an authentication system according to an embodiment of the present invention will be described with reference to FIG. As shown in FIG. 1, the authentication system 500 includes a resource server 100, an authentication server 200, a plurality of user terminals 300 (300A and 300B), and a plurality of service servers 400 (connected to each other via a network NET. 400A, 400B). Although only two service servers and two user terminals are shown in the figure, it goes without saying that there may be more.

The service servers 400A and 400B are servers on the service providing sides A and B that provide predetermined services via the network NET. The predetermined service may be, for example, a reservation service, a payment service, an SNS (Social Networking Service), a shopping service, a vehicle dispatch service, a delivery service, an online game service, or the like. Note that, hereinafter, the service servers 400A and 400B are generically referred to as the service server 400 unless it is necessary to distinguish them. Note that the service server 400 may be typically implemented on the cloud.

The user terminals 300A and 300B are information processing terminals associated with the users A and B, respectively. In the figure, the user terminals 300A and 300B are shown as smartphones, but the user terminals may be of any type as long as they can use a predetermined service provided by the service server 400 via the network NET. .. Note that, hereinafter, the user terminals 300A and 300B will be collectively referred to as the user terminal 300 unless it is necessary to distinguish them. The user terminal 300 is, for example, a smartphone, a mobile phone (feature phone), a handheld computer device (for example, PDA (Personal Digital Assistant), etc.), a wearable terminal (for example, glasses-type device, a clock-type device, a head-mounted display (HMD: Head-Mounted Display, etc.), other types of computers, or communication platforms.

The network NET may include a wireless network or a wired network. Specifically, the network NET includes a wireless LAN (WLAN), a wide area network (WAN), ISDNs (integrated service digital networks), wireless LANs, LTE (long term evolution), LTE-Advanced, The fourth generation (4G), the fifth generation (5G), CDMA (code division multiple access), and the like. The network NET is not limited to these examples. For example, the public switched telephone network (PSTN), Bluetooth (registered trademark), optical line, ADSL (Asymmetric Digital Subscriber LINE) line, satellite. It may be a communication network or the like. Further, the network NET may be a combination of these.

The resource server 100 encrypts the user information of the authentication system 500 and provides it to the service server 400 via the user terminal 300. The service server 400 requests the authentication server 200 for a decryption key for decrypting encrypted user information (hereinafter referred to as “encrypted user information”). The authentication server 200 determines whether or not the request is an unauthorized access, and when it is not an unauthorized access, generates a decryption key for decrypting the encrypted user information and provides the decryption key to the service server 400. The service server 400 decrypts the encrypted user information using the decryption key received from the authentication server 200 and the unique decryption key unique to the service server 400 acquired in advance from the resource server 100, and the user of the user who uses the service. Acquire information (details will be described later).

<Hardware configuration>
Here, the hardware configuration of the resource server 100 will be described with reference to FIG. Although illustrated as the resource server 100 in FIG. 3, the authentication server 200, the service server 400, and the user terminal 300 have the same basic hardware configuration, and thus will be described as an information processing device. Further, in FIG. 3, the reference numerals corresponding to the authentication server 200 are shown in parentheses.

The information processing apparatus 100 includes a processor 101, a memory 102, a storage 103, an input/output interface (I/F) 104, and a communication I/F 105, and the cooperation of these elements describes the present embodiment. Realize functions and methods. For example, the function or method of the present disclosure is realized by the processor 101 executing an instruction included in a program read into the memory 102.

The processor 101 executes a function and/or a method realized by a code or an instruction included in a program stored in the storage 103. The processor 101 is, for example, a central processing unit (CPU), MPU (Micro Processing Unit), GPU (Graphics Processing Unit), microprocessor (microprocessor), processor core (processor core), multiprocessor (multiprocessor), ASIC (Application- Specific integrated circuit), FPGA (Field Programmable Gate Array), etc., and implemented by a logic circuit (hardware) or dedicated circuit formed in an integrated circuit (IC (Integrated Circuit) chip, LSI (Large Scale Integration)) or the like. Each process disclosed in the embodiment may be realized. Further, these circuits may be realized by one or a plurality of integrated circuits, and the plurality of processes shown in each embodiment may be realized by a single integrated circuit. Further, the LSI may be referred to as VLSI, super LSI, ultra LSI, or the like depending on the degree of integration.

The memory 102 temporarily stores the program loaded from the storage 103 and provides a work area to the processor 101. The memory 102 also temporarily stores various data generated while the processor 101 is executing the program. The memory 102 includes, for example, a RAM (Random Access Memory), a ROM (Read Only Memory), and the like.

The storage 103 stores the program. The storage 103 includes, for example, a HDD (Hard Disk Drive), an SSD (Solid State Drive), a flash memory, and the like.

The communication I/F 105 is implemented as hardware such as a network adapter, communication software, and a combination thereof, and transmits/receives various data via the network NET. The communication may be executed by wire or wireless, and any communication protocol may be used as long as mutual communication can be executed. The communication I/F 105 executes communication with other information processing devices via the network NET. The communication I/F 105 transmits various data to another information processing device according to an instruction from the processor 101. Further, the communication I/F 105 receives various data transmitted from another information processing device and transfers the data to the processor 101.

The input/output I/F 104 includes an input device that inputs various operations on the information processing device 100, and an output device that outputs a processing result processed by the information processing device 100. In the input/output I/F 104, an input device and an output device may be integrated, or an input device and an output device may be separated. The input device is realized by any of all types of devices that can receive an input from a user and transmit information related to the input to the processor 101, or a combination thereof. The input device includes, for example, a hardware key such as a touch panel, a touch display, and a keyboard, a pointing device such as a mouse, a camera (operation input via an image), and a microphone (operation input by voice). The output device outputs the processing result processed by the processor 101. The output device includes, for example, a touch panel, a speaker, and the like.

<Functional configuration>
Although details will be described later, the functional configuration of each device will be briefly described with reference to FIGS. 4 and 5. The functional units shown in FIG. 4 are not essential, and other functional units may be provided. Further, the function or processing of each functional unit may be realized by machine learning or AI (Artificial Intelligence) within a feasible range.
(1) Resource Server As shown in FIG. 4, the resource server 100 includes a communication control unit 110, an input/output control unit 120, a determination unit 130, a generation unit 140, an encryption unit 150, and a storage unit 160.

The communication control unit 110 controls communication with an external device via the communication I/F 105. That is, the communication control unit 110 transmits the data acquired by the communication with the user terminal 300 and the service server 400 to the determination unit 130 and the storage unit 160, and transfers the data from the functional units to the user terminal 300 and the storage unit 160. It is transmitted to the service server 400. Therefore, the communication control unit 110 functions as a transmission unit and a reception unit that transmits/receives data to/from an external device (user terminal 300, service server 400).

For example, the communication control unit 110 receives user information about the user of the user terminal 300 from the user terminal 300. Further, the communication control unit 110 receives service information regarding the service providing side of the service server 400 from the service server 400. The received user information and service information are stored (stored) in the user information database (DB) 262 and the service information DB 261 of the storage unit 160, respectively.

Furthermore, the communication control unit 110 receives an access request to the service server 400 from the user terminal 300, and transmits the encrypted user information encrypted by the encryption unit 150 to the user terminal 300.

The input/output control unit 120 controls transmission of various information with an external device via the input/output I/F 104. For example, the input/output control unit 120 transmits information to each functional unit in response to an input instruction from a service providing side management user from an input device (not shown) such as a touch panel, a keyboard, a microphone, a touch panel, a monitor, a speaker. Information from each functional unit is transmitted to an output device (not shown).

The determination unit 130 performs various determination processes. Note that machine learning or AI may be used for the determination. The encryption unit 150 encrypts the user information about the user of the user terminal 300 in response to the access request to the service server 400 transmitted from the user terminal 300.

The storage unit 160 has a function of storing various programs and various data necessary for the resource server 100 to operate in the storage 103 or the like. Further, as described above, the storage unit 160 stores the service information regarding the service providing side that uses the authentication system and the user information regarding the user. The storage unit 160 also stores a decryption key generation rule 163 and a hash key generation rule 164. The storage unit 160 corresponds to the first storage unit.

(2) Functional Configuration of Authentication Server The authentication server 200 includes a communication control unit 210, an input/output control unit 220, a determination unit 230, a generation unit 240, and a storage unit 250. The communication control unit 210 controls communication with the service server 400 via the communication I/F 205. In the embodiment of the present invention, the authentication server 200 communicates only with the service server 400, and does not communicate with the user terminal 300 or the resource server 100.

The communication control unit 210 transmits the data acquired by the communication with the service server 400 to the determination unit 230 or the storage unit 250, or transmits the data from the functional units to the service server 400. Therefore, the communication control unit 110 functions as a transmission unit and a reception unit that transmits and receives data to and from the service server 400. For example, the communication control unit 110 receives, from the service server 400, the encrypted user information and the service information regarding the service providing side of the service server 400. Furthermore, the communication control unit 110 transmits the authentication side decryption key generated by the generation unit 240 to the service server 400.

The storage unit 250 has a function of storing various programs and various data necessary for the authentication server 200 to operate in the storage 203 and the like. Further, the storage unit 250 stores the service information on the service providing side that uses the authentication system in the service information DB 251. Here, unlike the resource server 100, the authentication server 200 does not store user information. The service information stored in the authentication server 200 is preferably the same as the service information stored in the resource server 100 (details will be described later). The storage unit 250 of the authentication server 200 corresponds to the second storage unit. Further, the storage unit 250 stores the decryption key generation rule 252 and the hash key generation rule 253 which are the same as the decryption key generation rule 163 and the hash key generation rule 164 stored in the storage unit 160 of the resource server 100.

The determination unit 230 performs various determination processes. Note that machine learning or AI may be used for the determination. For example, the determination unit 230 determines whether the service information corresponding to the service information received by the communication control unit 210 is stored in the storage unit 250. In addition, the determination unit 230 determines whether or not the encrypted user information is acquired by unauthorized access, for example, by determining whether the service server 400 that has transmitted the encrypted user information is correct (true or false). Judgment (details will be described later).

When the determination unit 230 determines that the service server 400 that has transmitted the encrypted user information is true, the generation unit 240 generates an authentication-side decryption key for decrypting the encrypted user information.

(3) Functional Configuration of User Terminal FIG. 5 shows a functional configuration diagram of the user terminal 300 and the service server 400. The user terminal 300 includes a communication control unit 310, an input/output control unit 320, a generation unit 330, an imaging control unit 340, and a storage unit 350. Note that the function or processing of each functional unit may be realized by machine learning or AI within a feasible range.

The communication control unit 310 causes various information to be transmitted and received between the user terminal 300 and an external device (resource server 100, service server 400) via the network NET. The input/output control unit 320 controls transmission of various information with an external device via the input/output I/F. For example, the input/output control unit 320 transmits information to each functional unit according to an input instruction from a user accepted by an input device such as a touch panel and a microphone, and outputs each function to an output device such as a touch panel and a speaker. Communicate information from the department.

The generator 330 generates a hash based on a predetermined rule. The imaging control unit 340 controls imaging by the imaging unit according to an instruction from the user of the user terminal 300.

The storage unit 350 has a function of storing various programs and various data necessary for the user terminal 300 to operate in a storage or the like. For example, the storage unit 350 stores an application program for executing a predetermined service in the user terminal 300, and also stores an access token for the predetermined service.

(4) Functional Configuration of Service Server The service server 400 includes a communication control unit 410, an input/output control unit 420, a generation unit 430, a decryption unit 440, and a storage unit 450.

The communication control unit 410 causes various information to be transmitted and received between the service server 400 and external devices (the authentication server 200, the user terminal 300) via the network NET. The input/output control unit 420 controls transmission of various information with an external device via the input/output I/F. The generation unit 430 generates a hash based on a predetermined rule.

The decryption unit 440 decrypts the encrypted user information based on the service information 451 stored in the storage unit 450. The service information 451 includes a unique decryption key generated by the generation unit 140 of the resource server 100 and unique to the service providing side. The decryption unit 440 decrypts the encrypted user information using the unique decryption key and the authentication-side decryption key transmitted from the authentication server 200.

<Pre-registration process>
To use the authentication system 500, the service provider and the user need to register in advance with the authentication system. The pre-registration process will be described below. FIG. 6 is a sequence diagram of the pre-registration process.
(1) Pre-Registration Processing on Service Providing Side Upon pre-registration, the service server 400 transmits service information to the resource server 100 (step S11). The service information includes the IP address of the service server 400, the destination URL of the user information, and information about the service provider. The destination URL of the user information is information indicating the destination of the user information required for registration from the user terminal of the user who desires to use the service. Even if the administrator of the authentication system 500 judges the service provider based on the information about the service provider and judges that the service provider can be trusted, even if the registration to the authentication system 500 is permitted. Good. In addition, the examination of the service providing side includes collecting information about the service providing side by crawling the web page, and predicting the business of the service providing side by AI or machine learning (for example, stock price forecast, sales forecast, etc.). May be done by software.

The generation unit 140 of the resource server 100 generates a service ID (account information), a secret key unique to the service providing side, and a unique decryption key for the service server 400 (step S12). The generation unit 140 generates a secret key and a decryption key that differ for each service that uses the authentication system 500. The communication control unit 110 of the resource server 100 transmits the generated service ID, secret key, and decryption key to the service server 400 (step S13). The service ID of the authentication system 500, the unique secret key, and the unique decryption key are stored in the storage unit 450 of the service server 400 (step S14).

FIG. 9 shows an example of information stored in the storage unit 450 of the service server 400. The table TB40 is an example of the service information 451. As shown in the table TB40, the service server 400 stores a service ID, a unique secret key, and a unique decryption key that uniquely identify the service providing side in the authentication system 500. The service server 400 may further store information about the authentication system 500 (registration date in the example of the drawing).

The service ID, secret key, and IP address of each service are transmitted from the resource server 100 to the authentication server 200 (step S15). At least the service ID, the IP address, and the secret key are stored in the storage unit 250 of the authentication server 200 for each service (step S16). In addition, at least the service name, IP address, and destination URL are stored for each service in the storage unit 160 of the resource server 100 (step S17).

FIG. 7A shows an example of information stored in the storage unit 160 of the resource server 100. The table TB10 is an example of the service information DB 161. As shown in the table TB10, the resource server 100 stores at least a service name, a service ID, an IP address, and a destination URL for each service that uses the authentication service 500. The resource server 100 may further store information about the service provider (industry in the example in the figure).

Further, FIG. 8 shows an example of information stored in the storage unit 250 of the authentication server 200. The table TB30 is an example of the service information DB 251. As shown in the table TB30, the authentication server 200 stores at least a service name, a service ID, a secret key, and an IP address for each service. The authentication server 200 may further store information on the service providing side (industry in the example of the figure).

(2) User Pre-Registration Process Upon pre-registration, the user information of the user is transmitted from the user terminal 300 to the resource server 100 (step S18). It is preferable that the user information includes at least information such as a user name, date of birth, address, and telephone number that can confirm that the user is the user. The generation unit 140 of the resource server 100 generates a user account and an access token for the user account (step S19). The access token may be, for example, Cookie. The generated access token is transmitted from the resource server 100 to the user terminal 300 (step S20). The access token is stored in the storage unit 350 of the user terminal 300 (step S21). Further, user information is stored in the storage unit 160 of the resource server 100 (step S22).

FIG. 7B shows an example of user information stored in the storage unit 160 of the resource server 100. The table TB20 is an example of the user information DB 162. As shown in the table TB20, the resource server 100 stores at least a user name, a service ID, an IP address, and a destination URL for each user who uses the authentication service 500. The resource server 100 may further store information about the service provider (industry in the example in the figure). Note that, as shown in the table TB20, a different user ID is assigned to one user for each service. The profile information will be described later.

<Selection of services that use authentication>
A user who has registered in the authentication system 500 can select a service to be registered by using the authentication system. At this time, according to the embodiment of the present invention, the user can select an item to be used for registration in his/her profile information (user information) for each service. This will be described with reference to the drawings.

The screen 10 of FIG. 10 is an example of a screen for selecting whether or not to use the authentication service in the use registration of the service X. Here, when the button 11 is selected by the user, a usage registration request is transmitted from the user terminal 300 to the service server 400, and the service server 400 displays information for displaying an item selection screen for selecting an item to be transmitted to the service X. Is transmitted to the user terminal 300.

The screen 20 of FIG. 10 is an example of a selection screen of items used for registration of use of the service X. On the screen 20, a name, profile picture, and bank account are displayed as the item list 12. Here, the items displayed in the list 12 differ depending on the service. At the time of pre-registration in the authentication system 500, the service provider side pre-registers in the resource server 100 the items to be acquired from the user. In the user terminal 300, when the user selects an item to be transmitted to the service X from the list 12 and the send button 13 is selected, the generation unit 330 of the user terminal 300 requests the information transmission request including the item selected by the user. To generate. The communication control unit 310 of the user terminal 300 transmits the information transmission request to the resource server 100.

The screen 30 of FIG. 10 is an example of a screen for selecting a service for using the authentication service by the authentication system 500 after logging in to the authentication system 500. Here, when the service X is selected by the user, a usage registration request is transmitted from the user terminal 300 to the service server 400, and the service server 400 displays information for displaying an item selection screen (screen 20 in FIG. 10). It transmits to the user terminal 300. Since the screen 20 is the same as the above, the description is omitted.

As described above, the user can select the item to be transmitted in his/her profile information for each service registered using the authentication system 500. The generation unit 140 of the resource server 100 generates a first token that proves that the user has accessed the item selection screen 20.

<Authentication process>
Next, user authentication processing (user information certification processing) will be described with reference to FIG. FIG. 11 is a sequence diagram of the authentication process. For the sake of explanation, the service used by the user will be referred to as service X, the user of the user terminal 300 will be referred to as user A, those associated with service X will be indicated as XX, and those associated with user A will be indicated as XX. I will explain with the letter A.

As described above, the generation unit 330 of the user terminal 300A generates the information transmission request. The information transmission request includes a character string uniquely indicating the service X of the transmission destination, and a character string indicating information regarding an item to be transmitted (hereinafter referred to as “transmission item”) of the profile information selected by the item selection screen 20. Alternatively, the list, the first token that proves that the selection screen 20 is accessed, and the user ID of the user in the service X are included. The user terminal 300A transmits the information transmission request to the resource server 100. Here, the HTTP POST method may be used for the transmission.

Upon receiving the information transmission request, the resource server 100 determines whether or not the information transmission request is from the user who has accessed the item selection screen 20 based on the presence/absence of the first token (step T12). When the first token is not included in the information transmission request (NO in step T12), a response instructing the redirect to the item selection screen is transmitted (step T13). When the first token is included in the information transmission request (YES in step T12), the encryption unit 150 of the resource server 100 encrypts the transmission item included in the information transmission request (step T14). Specifically, the encryption unit 150 encrypts all the information included in the information transmission request as a JSON character string in a dictionary format to obtain an encrypted character string (crypted_string). In order to decrypt the encrypted character string encrypted by the encryption unit 150, the decryption key X unique to the service X assigned to the service X of the transmission destination of the transmission item and the storage unit 160 of the resource server 100 are stored. A decryption key (denoted as decryption key P) generated based on the stored decryption key generation rule 163 is required. As shown in the table TB20 of FIG. 7B, the user has a different user ID for each service. Therefore, it is possible to prevent the user information from being misused or leaked by the service providing side.

Further, the generation unit 140 of the resource server 100 generates a hash key (referred to as a hash key H) according to the hash key generation rule 164, and uses the above-mentioned encrypted character string or the character string obtained by decoding the encrypted character string as the hash key H. Is hashed using. It should be noted that the generation of the decryption key P in the above-described decryption key generation rule 163 and the generation of the hash key in the hash key generation rule 164 are performed using the time stamp and the service of the service X stored in the storage unit 160 of the resource server 100. Information is used. Further, unlike the rules for generating the decryption key P and the rules for generating the hash A, it is impossible to infer one from the other.

The encrypted user information generated in step T14 is transmitted from the resource server 100 to the user terminal 300 (step T15), and transmitted from the user terminal 300 to the service server 400X of the service X (step T16). Here, the HTTP POST method is used for transmission. The encrypted user information includes a destination URL to the service X, a time stamp, an encrypted character string, and a hash A.

Upon receiving the encrypted user information, the generation unit 430 of the service server 400 adds the service ID (service X_ID) in the authentication system 500 of the service X to the encrypted user information, and is added from the resource server 100 in the pre-registration process. Hashing is performed using the secret key X (step T17). That is, the generation unit 430 connects the time stamp, the encrypted character string, the hash A, and the service ID (service X_ID) included in the encrypted user information, and generates the hash B hashed with the secret key X. The communication control unit 410 of the service server 400 transmits the generated hash B, the time stamp included in the encrypted user information, the encrypted character string, the hash A, and the service ID to the authentication server 200 (step T18). ..

The authentication server 200 performs authentication based on the hash B (step T19). Specifically, the procedure is as follows.

First, it is determined whether the time stamp is within the expiration date. Here, the expiration date can be set arbitrarily. Then, the information regarding the service ID that is the same as the service ID (service X_ID) included in the encrypted user information is read from the service server 400 from the storage unit 250 of the authentication server 200. Next, it is determined whether the IP address stored in the storage unit 250 in association with the service X_ID matches the IP address of the transmission source of the encrypted user information. If the IP addresses match, it means that the data was not obtained illegally. Based on the time stamp and the service information stored in the storage unit 250 in association with the service X_ID, the decryption key generation rule 252 and the hash key generation rule 253 also stored in the storage unit 250 are used to perform the decryption. Generate keys and hashes.

Here, the decryption key generation rule 163 and the hash key generation rule 164 stored in the resource server 100 are the same as the decryption key generation rule 252 and the hash key generation rule 253 stored in the authentication server 200, respectively. Therefore, if the decryption key and the hash key are generated using the same parameter, the one generated by the resource server 100 and the one generated by the authentication server 200 are the same. Therefore, when the decryption key generated by the authentication server 200 matches the decryption key P and the hash of the authentication server 200 matches the hash A, the access of the service server 400 that has transmitted the encrypted user information is correct. It is determined that there is, and the access is authenticated (YES in step T19).

When authenticated, the decryption key P generated by the authentication server 200 is transmitted to the service server 400 (steps T20 and T21). Upon receiving the decryption key P, the decryption unit 440 of the service server 400 combines the received decryption key P with the unique decryption key A as a decryption key to decrypt the encrypted character string (step T22). The item selected by the user is acquired from the decrypted JSON character string and registered as the user of the service.

If the decryption key generated by the authentication server 200 does not match the decryption key P or the hash generated by the authentication server 200 does not match the hash A (NO in step T19), it is determined that there is an error in the service server. Respond to 400 or end the processing.

As described above, according to the authentication system of the embodiment of the present invention, the profile information of the user can be provided to the service providing side while ensuring its accuracy. Also, the user information is stored only in the resource server 100 and not in the authentication server 200. Further, only the user terminal 300 accesses the resource server 100 in which the user information is stored. Further, the user information transmitted to the service providing side can be selected by the user, and the service server 400 stores only the item selected by the user. Therefore, it is possible to reduce the possibility of information leakage on the communication path and an unauthorized request from the outside. Moreover, since casual use by the HTTP protocol is possible, it is possible to realize an authentication method with a simple method.

Further, according to the embodiment of the present invention, a unique decryption key is added to the service server 400, and in addition to the decryption key generated by the authentication server 200, the unique decryption key is added to decrypt the encrypted user information. I need. Therefore, even if the communication between the authentication server 200 and the service server 400 is illegally accessed and the decryption key is leaked, it is possible to prevent the decryption of the encrypted user information.

In general, in order to ensure accuracy and realize a more reliable and secure authentication system, it is required to have a user provide a large amount of information and prevent unauthorized users from being registered. According to an embodiment of the present invention, a user can select information to be provided to each service by himself even if he provides a lot of information when registering in the authentication system. Therefore, it is possible to protect the personal information and provide a system with higher usability.

<Provision of user information>
Here, an example of a user information providing process at the time of pre-registration in the authentication system 500 will be described with reference to FIG. FIG. 12A is an example of the identification screen image capturing screen 40 displayed on the user terminal 300. In registering the user information, for example, an image obtained by photographing the ID card can be recognized by an image recognition technique, and items included in the ID card can be extracted as character information. With such a configuration, user information can be input by a simple method. In addition, FIG. 12B is an example of a shooting screen 50 of a user's face photograph. It is preferable to allow the user to perform a series of processes of taking an ID card and taking a face picture of the user.

The user's face may be captured as a moving image. At this time, as shown in the screen 50, a predetermined keyword 14 (“November 28, lemon” in the example of FIG. 12) may be uttered. Accordingly, facial expressions of various users can be acquired and used as input information for machine learning used for determination by AI described later.

User confirmation by AI based on the moving image information acquired by the above processing will be briefly described.

(1) About face photograph It is determined by the analysis library or service that the user is speaking the presented keyword and that it is not a composited moving image. A still image is cut out from the moving image, and the cut out still image is given as an input for machine learning.
(2) Identification card For each still image cut out from the video, image authenticity/machinery analysis using a library such as OpenCV (Open Source Computer Vision Library) and the authenticity of documents using a predetermined authentication service. By learning, determine whether the face picture of the ID card and the face included in the video are the same person

In addition, in order to prevent duplicate registration by one user in the authentication system 500, whether the ID number of the ID or document (license number, passport number, serial number, etc.) has already been registered, or the name or address, When the dates of birth are duplicated, it may be determined whether or not the person is the same person by AI together with the face photograph.

It should be noted that the face picture may be taken by the user a plurality of times. All the facial photographs are used as inputs for machine learning, and can improve the determination accuracy.

<Reward to user>
According to an embodiment of the present invention, a predetermined reward is associated with a user whose transmission item satisfies a predetermined condition according to an item selected by the user and transmitted to the service in the user information. Good. The predetermined reward is preset by the service provider and stored in the resource server 100. For example, in the selection screen 20 shown in FIG. 13, when all the items in the list 12 are selected, a predetermined reward may be associated with the user. The predetermined reward may be points available in the service X or money. Further, a predetermined questionnaire screen 21 may be displayed after the send button 13 is selected on the selection screen 20. Then, the user may be rewarded according to the number of answers to the questionnaire. With such a configuration, the service providing side can acquire and store more user information.

Although the present invention has been described based on the drawings and the embodiments, it should be noted that those skilled in the art can easily make various variations and modifications based on the present disclosure. Therefore, it should be noted that these variations and modifications are included in the scope of the present invention. For example, the functions and the like included in each constituent unit and each step can be rearranged so as not to logically contradict, and a plurality of constituent units and steps can be combined or divided into one. Is. In addition, the configurations described in the above embodiments may be combined as appropriate. For example, each component described as being included in the resource server 100 and the authentication server 200 may be realized by being distributed by a plurality of servers, or may be realized by the same server. A person skilled in the art can implement the same server with substantially the above contents. However, in the sense of being prepared for an unexpected situation, it is preferable to actually separate them. It should be noted that the “server” in this specification is not limited to a physical server itself, but a virtual server or a program itself that realizes the function of the server. Further, each component may be provided by an API (Application Programming Interface).

For example, the private key and the decryption key are not used as they are, but are used as variables of the hash key generation rule shared by the authentication server 200 and the resource server 100, and the generated hash character string is used as a key. The safety can be increased.

Further, the variables used to generate the decryption key P and the hash key H are not limited to those described above, and other variables may be used. For example, a time stamp may be used to provide an expiration date from the issuance of the hash key to the inquiry. Further, SSH (Secure SHell) may be used for the inquiry from the service server 400 to the authentication server 200 to further enhance the security. Further, the information transmission request may be encrypted. In that case, it is preferable that the encryption key is changed as a one-time password by dividing it by the expiration date. Further, as a measure against unauthorized access, the registration information of the service provider stored in the authentication server 200 may be hashed and stored. In this case, the same generation rule is used for the hashes generated by the resource server 100. Any encryption algorithm can be used. Further, the user ID may be image information instead of a character string.

Further, in the reply to the inquiry from the service server 400 to the authentication server 200 on the communication path in the authentication system 500, information leakage, falsification, and unauthorized access are assumed. However, the attacker is correct in all of the time stamp, the service-specific secret key used as the hash key, the encrypted character string (crypted_string), the hash A, and the connection source IP address (falsification of the service server IP address). You need to prepare things. It is difficult to match the encrypted character string (crypted_string) and the hash A unless they have leaked from any communication path in the authentication system 500. Even if the attack succeeds and the attacker receives the decryption key P, the encrypted character string (crypted_string) cannot be restored unless the unique decryption key assigned to each service is obtained. Further, even if the data can be decrypted, the only information leaked is the information transmitted by one user at that time.

<Use as ID>
Furthermore, the authentication system according to the present invention can be used as an ID card. In the pre-registration process for the authentication system 500, user information is stored in the resource server 100. This user information can be provided to the service side as an identification by the above-mentioned authentication processing. FIG. 14A is an example of a display screen of user information (identification card 40) registered in the authentication system 500 on the user terminal 300. Note that the diagram is an example, and the items included in the identification card 40 may be less or more than this. For example, by using the authentication system according to the present invention, the user information (address, name, telephone number, etc.) need not be entered at the time of check-in at a hotel, entering a reserved store, or accepting at a hospital or the like. be able to.

When the user visits the actual store (store on the service providing side using the authentication system 500), a check-in screen (transmission item selection screen) 41 as shown in FIG. 14B is displayed on the user terminal 300. This may be displayed by inputting the identification information of the actual store in the authentication system 500 to the user terminal 300. For example, in the user terminal 300, which causes the user terminal 300 to read the passcode displayed on the store terminal installed in the actual store, or input by the user, the identification information is transmitted from a beacon or the like installed in the actual store, A method of designating an actual store in advance may be used. On the check-in screen 41, the user selects an item to be presented as an ID card at the actual store. Then, the user information is authenticated by the above-described authentication processing and transmitted to the actual store side. With such a configuration, the user can input the user information by a simple method. In addition, the actual store side can obtain highly reliable user information with a low possibility of disguising the user information.

The advantages of the present invention will be reiterated. According to the present invention, since the HTTP protocol can be used for all communication paths, the service providing side can easily use it. Further, since the IP address to the service server may be registered, the firewall can be easily set in the URL for inquiry from the service server. Further, SSH can be used only for this portion to make it more secure. Further, it is not necessary to store the user information in the authentication server 200, and it is difficult for information leakage, falsification, and unauthorized access except at the user level, and it is difficult to collectively leak information of a plurality of users.

Further, the user selects the send button 13 on the selection screen 20, and until the authentication is completed, the page movement is completed once for the user. Also, from the service providing side, the user can be authenticated in one session.

Furthermore, the user can send the information guaranteed by the authentication system to the service provider with one click, and since the service provider is registered in the authentication system, the user information can be sent to a malicious third party. The risk of being killed is low.

The service provider can obtain the information guaranteed by the authentication system for each user with one click. Since the user is given a different identifier for each service, the identity of the user can be determined at least within the range guaranteed by the authentication system, and duplicate registration of the user can be avoided. When the user logs in to the authentication service, a list of services that can use the authentication service is displayed as in the screen 30 of FIG. 10. Therefore, as an advertisement introducing the service to the user, the user can be prompted to register for the service.

The program of each embodiment of the present disclosure may be provided in a state of being stored in a computer-readable storage medium. The storage medium can store the program in a “non-transitory tangible medium”. The programs include, for example, software programs and computer programs.

The storage medium is, where appropriate, one or more semiconductor-based or other integrated circuits (ICs) (eg, field programmable gate arrays (FPGAs), application specific ICs (ASIC), etc.), hard Disk drive (HDD), hybrid hard drive (HHD), optical disk, optical disk drive (ODD), magneto-optical disk, magneto-optical drive, floppy diskette, floppy disk drive (FDD), magnetic tape, solid-state drive (SSD), RAM drive, secure digital card or drive, any other suitable storage medium, or any suitable combination of two or more thereof. Storage media may be volatile, non-volatile, or a combination of volatile and non-volatile, where appropriate.

In addition, the program of the present disclosure may be provided to the information processing device via any transmission medium (communication network, broadcast wave, or the like) capable of transmitting the program.

Each embodiment of the present disclosure can also be realized in the form of a data signal embedded in a carrier wave in which a program is embodied by electronic transmission.

The program of the present disclosure is implemented using, for example, a script language such as Java Script (registered trademark), Python, C language, Go language, Swift, Koltin, Java (registered trademark), or the like.

500 authentication system 100 resource server 110 communication control unit 120 input/output control unit 130 determination unit 140 generation unit 150 encryption unit 160 storage unit 163 decryption key generation rule 164 hash key generation rule 200 authentication server 210 communication control unit 220 input/output control unit 230 determination unit 240 generation unit 250 storage unit 251 service information DB
252 Decryption key generation rule 253 Hash key generation rule 300 (300A, 300B) User terminal 310 Communication control unit 320 Input/output control unit 330 Generation unit 340 Imaging control unit 350 Storage unit 400 (400A, 400B) Service server 410 Communication control unit 420 Input/output control unit 430 Generation unit 440 Decoding unit 450 Storage unit 451 Service information 100 Information processing device 101 Processor 102 Memory 103 Storage

Claims (9)

An authentication system for authenticating access to a service server by a user terminal, comprising an authentication server and a resource server,
The resource server is
A first storage unit that stores at least user information about a user of the user terminal and service information about a service of the service server;
An encryption unit that encrypts user information about a user of the user terminal in response to an access request sent from the user terminal to the service server;
A transmission unit for transmitting the encrypted user information encrypted by the encryption unit to the user terminal,
Equipped with
The authentication server is
A second storage unit that stores service information related to the service of the service server;
A receiving unit that receives, from the service server that has received the encrypted user information from the user terminal, the service information related to a service of the service server together with the encrypted user information;
If the service server that has transmitted the service information is determined to be true based on the service information stored in the second storage unit that corresponds to the service information received by the reception unit, the encrypted user information A decryption key generation unit that generates an authentication-side decryption key for decrypting
A transmission unit for transmitting the authentication side decryption key to the service server;
An authentication system comprising. The resource server generates a unique decryption key unique to the service server and sends it to the service server,
The decryption key generation unit generates the authentication-side decryption key so that the encrypted user information is decrypted by decrypting in combination with the unique decryption key,
The authentication system according to claim 1, wherein: The transmission unit in the resource server transmits, to the user terminal, display information for displaying an item selection screen for selecting an item to be transmitted as the user information from a plurality of items in the user terminal,
The authentication system according to claim 1 or 2, characterized in that. The encryption unit in the resource server encrypts the user information when the item selection screen is accessed in the user terminal in response to the access request to the service server sent from the user terminal. Turn into
The authentication system according to claim 3, wherein: The service information stored in the first storage unit and the second storage unit includes an IP address of the service server,
The decryption key generation unit of the authentication server is configured such that the IP address included in the service information stored in the second storage unit corresponding to the service information received by the reception unit is received by the reception unit. If the IP address of the transmission source of the service information matches, the service server that transmitted the service information is determined to be true.
The authentication system according to any one of claims 1 to 4, wherein: In the authentication system,
An item to be transmitted as the user information is associated with a predetermined reward to a user who satisfies a predetermined condition,
The authentication system according to claim 3, wherein: The authentication system includes a plurality of service servers,
The first storage unit of the resource server associates, as the user information, a different user ID for each service used by the user,
The authentication system according to any one of claims 1 to 6, characterized in that. An authentication method of an authentication system comprising an authentication server and a resource server, which authenticates access to a service server by a user terminal,
The resource server is
Storing at least user information about a user of the user terminal and service information about a service of the service server in the first storage unit;
Encrypting user information about a user of the user terminal in response to an access request sent from the user terminal to the service server;
Transmitting encrypted user information encrypted by the encrypting step to the user terminal,
Run
The authentication server is
Storing service information related to the service of the service server in the second storage unit;
Receiving, from the service server, which has received the encrypted user information from the user terminal, the service information related to a service of the service server together with the encrypted user information,
If the service server that transmitted the service information is determined to be true based on the service information stored in the second storage unit that corresponds to the service information received in the receiving step, the encrypted user Generating an authenticator decryption key for decrypting the information,
Sending the authenticator decryption key to the service server;
Authentication method to perform. An authentication program for an authentication system comprising an authentication server and a resource server, which authenticates access to a service server by a user terminal,
In the resource server,
A first storage function for storing at least user information about a user of the user terminal and service information about a service of the service server;
An encryption function for encrypting user information about a user of the user terminal in response to an access request to the service server transmitted from the user terminal,
A transmission function of transmitting the encrypted user information encrypted by the encryption function to the user terminal,
Is realized,
In the authentication server,
A second storage function for storing service information related to the service of the service server;
A reception function of receiving, from the service server, which has received the encrypted user information from the user terminal, the service information regarding a service of the service server together with the encrypted user information,
If the service server that has transmitted the service information is determined to be true based on the service information stored in the second storage function, which corresponds to the service information received by the reception function, the encrypted user information A decryption key generation function that generates an authentication-side decryption key for decrypting
A transmission function for transmitting the authentication side decryption key to the service server,
An authentication program that realizes

Images